Skip to main content

Tutorial: Configure Full and Split Tunneling in Access Server

Abstract

Configure full and split tunneling in OpenVPN Access Server using the Admin Web UI and CLI. Learn how to control traffic routing globally and per user or group.

Overview

This tutorial explains how to configure full and split tunneling in Access Server.

You'll learn:

  • How tunneling works.

  • How to configure it globally.

  • How to override settings for specific users and groups using both the Admin Web UI and CLI.

Prerequisites

  • Access Server installed and running.

  • Admin Web UI access.

  • Root access to the Access Server console (for CLI steps).

How full and split tunneling work in Access Server

Access Server uses two OpenVPN directives to control traffic routing:

  • redirect-gateway: Sends all client traffic through the VPN (full tunnel).

  • redirect-private: Routes only specific private subnets through the VPN while other traffic uses the client's local internet connection (split tunnel).

By default, full tunneling is configured globally and can be overridden at the user or group level.

full_tunnel_vs_split_tunnel.svg

Step 1: Configure tunneling globally using the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Configuration → VPN Settings.

  3. Under Routing, select your desired tunnel configuration:

    • For full tunnel: Set Should client Internet traffic be routed through the VPN? to Yes.

    • For split tunnel: Set Should client Internet traffic be routed through the VPN? to No.

Step 2: Configure tunneling globally using the CLI

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Configure full tunneling:

    ./sacli --key "vpn.client.routing.reroute_gw" --value "true" ConfigPut
./sacli start

  4. Configure split tunneling:

    ./sacli --key "vpn.client.routing.reroute_gw" --value "false" ConfigPut
./sacli start

Step 3: Configure split tunneling for users and groups (when full tunnel is enabled globally)

Important

This override can only be configured using the CLI.

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Enable split tunneling without pushing DNS:

    ./sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "disable" UserPropPut

  4. Enable split tunneling while still pushing DNS:

    ./sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "dns_only" UserPropPut

  5. Refresh the Access Server configuration:

    ./sacli start

Step 4: Configure full tunneling for users and groups (when split tunnel is enabled globally)

Important

This method simulates full tunneling by routing all traffic using two large subnets:

  • 0.0.0.0/1

  • 128.0.0.0/1

simulated_full_tunnel.svg

Configure using Admin Web UI for users

  1. Sign in to the Admin Web UI.

  2. Click User Management → User Permissions.

  3. Find your user, and click the More Settings icon.

  4. Under Access Control, add 0.0.0.0/1 and 128.0.0.0/1 to the Allow Access To these Networks field.

    simulated_full_tunnel_UI_image.jpg

Configure using Admin Web UI for groups

  1. Sign in to the Admin Web UI.

  2. Click User Management → Group Permissions.

  3. Find your group, and click the More Settings icon.

  4. Set Access Control to Yes.

  5. Add 0.0.0.0/1 and 128.0.0.0/1 to the Allow Access To networks and services field.

    simulated_full_tunnel_UI_group_image.jpg

Configure using CLI for users or groups

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Use these commands to enable full tunnel for a user, without changing DNS settings:

    ./sacli --user <USER_NAME> --key "type" --value "user_compile" UserPropPut
./sacli --user <USER_NAME> --key "access_to.0" --value "+NAT:0.0.0.0/1" UserPropPut
./sacli --user <USER_NAME> --key "access_to.1" --value "+NAT:128.0.0.0/1" UserPropPut

  4. Use these commands to enable full tunnel for a group, without changing DNS settings:

    ./sacli --user <GROUP_NAME> --key "access_to.0" --value "+SUBNET:0.0.0.0/1" UserPropPut
./sacli --user <GROUP_NAME> --key "access_to.1" --value "+SUBNET:128.0.0.0/1" UserPropPut

  5. Refresh the Access Server configuration:

    ./sacli start
In this section: